TroveStays — Privacy Policy
This Privacy Policy explains what personal data TroveStays collects about you, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It is written to comply with the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) ("PDPO") and the Data Protection Principles ("DPPs") set out in Schedule 1 to the PDPO. It is part of our Terms and Conditions and applies to everyone who uses TroveStays.
A separate, shorter notice — our Personal Information Collection Statement ("PICS") — is shown to you at the point where each category of personal data is collected (at signup, at checkout, at creator-payout onboarding, and when you grant camera or photo-library access). The PICS is the document that the PDPO requires us to give you at the point of collection. This Privacy Policy is the longer-form companion to those PICS.
1. Who we are
1.1 The data user. Your personal data is collected and held by Kindleye Limited, a Hong Kong company with Business Registration number 79777743 and registered office at 26 Square Street, Sheung Wan, Hong Kong. In PDPO terms, Kindleye Limited is the "data user" — equivalent to the "data controller" in other jurisdictions. Where this Policy says "TroveStays", "we", "us", or "our", that is who is meant.
1.2 Privacy contact. Our contact for privacy matters, including PDPO data-access and correction requests, is support@trovestays.com. We treat that mailbox as our Data Protection Officer contact channel even where appointing a DPO is not mandatory.
2. The personal data we collect
For convenience the table below groups every category of personal data we collect or generate about you. The categories track the actual database schema and integrations used by the TroveStays Service.
2.1 Identity and account data
| Data | Source | Why we collect it |
|---|---|---|
| Email address | You, at signup | Account identification, login, transactional emails |
| Password (stored as a salted bcrypt hash, never as plain text) | You, at signup | Authenticating you when you log in |
| Username (lower-case, alphanumeric, dot or underscore allowed) | You, at signup | Public identifier on the Platform |
| Display name | You, at signup or in profile edit | Public name on the Platform |
| Avatar (image you upload) | You, in profile edit | Your public profile picture |
| Bio text | You, in profile edit | Public profile description |
| Instagram handle (optional) | You, in profile edit | To let other Users find your Instagram |
| User type ("traveler" or "creator") | Set on your behalf at signup; can change later | Routing you to the right features |
2.2 Preferences and personalisation
| Data | Source | Why we collect it |
|---|---|---|
| Preferred currency (ISO-4217 code) | You, at signup or in profile edit | Showing prices in your currency |
| Nationality (ISO-3166 alpha-2 code) | You, at signup or in profile edit | Required by some Suppliers/LiteAPI for accurate rates and rules |
| Travel-style and destination preferences (JSON) | You, in onboarding/profile | Personalising the Discover feed |
2.3 Booking data (Travellers)
| Data | Source | Why we collect it |
|---|---|---|
| Guest first name | You, at checkout | Required by the Supplier to identify the guest |
| Guest last name | You, at checkout | Same |
| Guest email | You, at checkout | Supplier and LiteAPI booking confirmation |
| Guest phone number | You, at checkout — passed to LiteAPI only; not stored by TroveStays | Supplier contact in case of operational issues |
| Number of adults, number of children, age of each child (0–17), number of rooms, check-in / check-out dates, room name | You, at checkout | The booking itself |
| Booking outcome data: LiteAPI booking ID, prebook ID, hotel confirmation code, selling price, net rate, currency, transaction ID (a payment-reference token, not a card number), payment method, payment status, cancellation status, cancellation fee, amount refunded, compensation amount and currency (if any) | Computed by us and returned by LiteAPI/Stripe | Operating, supporting, and reconciling your booking |
2.4 Payment data
| Data | Source | Why we collect it |
|---|---|---|
| Card number, expiry, CVV | Never collected by TroveStays. Entered by you into a payment iframe hosted by LiteAPI / Stripe. | Charging your card for the booking |
| Transaction ID (Stripe charge reference returned by LiteAPI's widget) | LiteAPI/Stripe | Reconciling and refunding the booking |
| Payment method category (e.g. "credit card", "wallet") | LiteAPI | Operational record-keeping |
2.5 Creator payout data (Creators only)
| Data | Source | Why we collect it |
|---|---|---|
Stripe connected account ID (acct_* — an opaque identifier, not a bank account number) |
Stripe (via Stripe Connect) | Routing payouts to you |
| Bank country (ISO-3166 alpha-2) | You, at payout onboarding | Setting up the Stripe Connect account |
| Stripe KYC requirement status (a list of fields Stripe is still waiting on) | Stripe | Showing you what you need to complete onboarding |
Capabilities (charges_enabled, payouts_enabled, details_submitted) |
Stripe | Knowing whether we can pay you |
| Disabled-reason text (if Stripe restricts the account) | Stripe | Telling you what to fix |
| Your bank account number, identity documents, tax identification number, and KYC documents | Never collected by TroveStays. Submitted by you directly to Stripe via Stripe's secure flow. | KYC, AML, and payout |
| Payout records: gross amount, debt applied, net amount, currency, Stripe transfer ID, Stripe payout ID, period start/end, status, failure code/message (if any) | Computed by us, returned by Stripe | Paying you correctly and auditably |
| Commission and clawback records | Computed by us | Tracking what you have earned, what is on hold, and what has been clawed back |
2.6 User-generated content and engagement
| Data | Source | Why we collect it |
|---|---|---|
| Posts (caption, hotel attribution, optional verified-stay link) | You, when posting | The core social feature |
| Videos | Uploaded by you directly to Mux (we never store the video file in our database; we only store Mux's asset and playback identifiers and quality metadata) | Hosting and streaming your video |
| Photos (where used) | Uploaded by you to Supabase Storage | Hosting and serving the image |
| Comments | You | Discussion on posts |
| Likes, follows, saves, collections | You | Personalisation and social graph |
| Post impressions (which posts you saw, how many times, when last seen) | Captured by us when you view content for ~2.5 seconds or more | Ranking the Discover feed so we do not repeat content you have already seen |
| Reviews (overall, cleanliness, location, service, value scores; written review body; booked vs actual room name) | You, after a stay | Quality measurement of hotels on the Platform; not currently shown to other Users at the date of this Policy (see clause 7) |
2.7 Device and notification data
| Data | Source | Why we collect it |
|---|---|---|
| Expo push notification token | Generated when you grant notification permission on your device | Sending notifications |
| Device type (iOS / Android / Web) | Captured by the Expo framework | Operations and debugging |
| Approximate location (only on Android when you grant permission to the Google Map view) | Your device, if you grant permission | Showing your position on the map |
2.8 Communications and support
| Data | Source | Why we collect it |
|---|---|---|
| Messages you send to support@trovestays.com, support@trovestays.com, or support@trovestays.com | You | Responding to your enquiry, complaint, or notice |
2.9 What we do not collect
- Your card number, expiry, or CVV (handled entirely by LiteAPI / Stripe).
- Your bank account number, sort code, or IBAN for payouts (handled by Stripe).
- Your contacts list, photo library other than photos you choose to upload, microphone audio, calendar entries, or health data.
- Background location.
- Sensitive personal data (health, race, religion, political opinion, sexual orientation) — we do not ask for it, and our Acceptable Use Policy prohibits posting content that gratuitously reveals other people's sensitive personal data.
3. How we collect personal data
3.1 Directly from you — when you create your account, edit your profile, complete a booking, post content, configure your payout account, message us, or interact with notifications.
3.2 From your device — push notification tokens, device type, app version, and (on Android, with permission) approximate location.
3.3 From the third parties we work with — LiteAPI sends us booking confirmations, payment statuses, refund outcomes, and cancellation events about your bookings; Stripe sends us account-status and transfer events about Creator payouts; Mux sends us video-processing outcomes.
3.4 From the way you use the Platform — analytics events that are not personally targeted but are recorded with your user ID for operational purposes (for example, post-impression records used to avoid showing you the same content twice).
4. Why we use your personal data — the purposes (DPP1)
We use your personal data for the following purposes, each of which is directly related to running the Platform:
- Providing the Service — letting you sign in, browse hotels, post content, complete a booking, leave a review, and otherwise use TroveStays as intended.
- Booking processing — sharing the minimum personal data necessary with LiteAPI (and, through them, with the Supplier hotel) to confirm and operate your stay.
- Payment processing — facilitating LiteAPI's secure widget so your card can be charged on behalf of the Supplier.
- Creator payouts — onboarding you to Stripe Connect, computing what you have earned, and arranging monthly transfers.
- Personalising the Discover feed — ranking content so you see things that match your preferences and so you do not repeatedly see the same posts.
- Notifications — sending transactional notifications (booking confirmation, cancellation, refund, new comment on your post, new post by a Creator you follow) and, where you have given express consent, promotional notifications.
- Customer support — responding to your messages, investigating complaints, handling disputes.
- Fraud prevention, security, and abuse detection — protecting the Platform, our Users, our Suppliers, and ourselves from fraud, abuse, account takeover, payment-card misuse, sanctions risk, and money laundering.
- Compliance with law — meeting our legal obligations under the PDPO, the Inland Revenue Ordinance, the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, and other laws that apply to us, and responding to lawful requests from regulators, courts, and law-enforcement agencies.
- Business operations and product improvement — running our business in a sensible way: accounting, audit, statistics, debugging, and improving how the Platform works.
- Marketing of our own services — only with your express consent, as described in Section 8.
We will not use your personal data for a new purpose that is not described in this Policy without first updating this Policy and, where required, obtaining your prescribed consent.
5. Who we share your personal data with (DPP3)
The third parties below help us run the Service. Where we share personal data with them, we do so only to the extent necessary for the purposes in Section 4, and we require them by contract to protect your data and to use it only for the purpose for which we have shared it.
| Recipient | Role | Personal data shared | Where processed |
|---|---|---|---|
| LiteAPI Travel Limited | Hotel inventory provider and merchant of record for bookings | Guest first/last name, email, phone, nationality, dates, occupancy (including children's ages), currency, payment authorisation reference; receives back booking ID, hotel confirmation code, payment status, refund and compensation outcomes | Ireland and the United States |
| Stripe (Stripe Payments Europe Ltd / Stripe Inc.) | Payment processing (via LiteAPI's widget) and Creator payouts (Stripe Connect Accounts v2) | For payment: card details entered by you directly into the Stripe-hosted iframe (we never see them); for payouts: name, email, bank country, and KYC documents that you submit directly to Stripe | Ireland and the United States |
| Mux | Video hosting, transcoding, streaming, and automated quality assessment | Your uploaded video file and a passthrough containing your TroveStays post identifier | United States |
| Supabase | Our primary database, authentication, file storage, and serverless function host | All personal data we store, encrypted at rest and accessible only through our own application logic and Row-Level Security policies | Supabase region selected for the project (current Supabase project reference: ecipelrxasjlyvrsctdq) |
| Expo Push Notification Service (Expo, Inc.) | Delivery of push notifications | Your Expo push token, the notification title and body, and any data payload necessary to deep-link you to the right screen | United States |
| Google Maps Platform (Google LLC) — Android only | Display of maps within the app on Android devices | Map viewport, hotel coordinates, and (only where you grant Android location permission) your device's approximate location | Google's global infrastructure |
| OpenStreetMap — iOS and web | Display of maps within the app on iOS and web | Map viewport and hotel coordinates (no user identifier) | OpenStreetMap's infrastructure |
| Frankfurter.app | Daily foreign-exchange rate look-ups for Creator payouts in USD | None — we send currency codes and dates, not personal data | Public service |
| Our professional advisers (lawyers, accountants, auditors) | Legal advice, audit, accounting | Only what is necessary for the engagement | Hong Kong and, where engaged, elsewhere |
| Regulators, courts, and law-enforcement bodies | Where we are required by law to disclose | Only what we are lawfully required to disclose | The jurisdiction making the request |
| A successor in a corporate transaction | Where we sell, merge, or transfer the TroveStays business | Personal data necessary for the successor to continue operating the Service under the same terms (subject to your right to delete your account before transfer) | Depends on the transaction |
We do not sell your personal data to anyone. We do not share your personal data with third-party advertising networks. We do not run third-party advertising trackers in the app.
6. Sending personal data outside Hong Kong
6.1 Several of the recipients in Section 5 are located outside Hong Kong, principally in Ireland and the United States. That means your personal data is, in the course of normal operation of the Service, sent outside Hong Kong.
6.2 Section 33 of the PDPO, which restricts cross-border transfers, is not currently in force in Hong Kong. However, we apply the safeguards recommended by the Office of the Privacy Commissioner for Personal Data ("PCPD") in its guidance on cross-border data transfer:
- (a) we sign written contracts with our processors, which include data-protection clauses requiring at least PDPO-equivalent protection;
- (b) we apply technical safeguards (encryption in transit, encryption at rest, access control) regardless of where the data is processed;
- (c) we conduct vendor due diligence before adding a new processor; and
- (d) we will not transfer your personal data to a jurisdiction where protection is materially weaker than in Hong Kong without giving you prior notice and, where required, obtaining your consent.
6.3 We will update this Policy if section 33 PDPO comes into force or if the PCPD changes its guidance materially.
7. Reviews and how we use them
7.1 After a stay, you may submit a review of the hotel (overall score, sub-scores, and an optional written body, together with whether you were upgraded and to which room). We collect and store these reviews so that we can analyse the quality of hotels on the Platform.
7.2 At the date of this Policy, individual reviews are not displayed publicly to other Users. If we change that in the future, we will:
- update this Policy and update the Terms and Conditions to explain it before doing so;
- give you the opportunity to delete or anonymise reviews you have already submitted; and
- where the change amounts to a new purpose for which the law requires consent, ask for your consent first.
7.3 You can ask us to delete a review you have submitted by writing to support@trovestays.com.
8. Direct marketing (Part 6A PDPO)
8.1 Transactional notifications are not direct marketing. When we send you a booking confirmation, a payment receipt, a refund notification, a cancellation notification, a notification that someone followed you, a notification that a Creator you follow has posted, or a similar operational message, we are not engaging in direct marketing as defined in Part 6A of the PDPO. We send these to you because they are necessary to operate the Service. You can manage push notifications in your device settings; turning them off may prevent us from getting time-critical operational messages to you.
8.2 Promotional marketing is opt-in. We do not send you marketing about products or services that go beyond the operational running of the Service (for example, a curated list of recommended hotels, a marketing newsletter, or a promotional push notification) unless you have given your express consent.
8.3 What you will see if and when we ask. Where we ask for that consent, we will tell you (in compliance with section 35C PDPO):
- (a) that we intend to use your personal data for direct marketing;
- (b) the kinds of personal data we will use;
- (c) the classes of marketing subject (for example, hotel recommendations, travel content, our own product news); and
- (d) that we cannot do so without your consent.
8.4 Opt-out is free and always available. Every promotional message we send carries a free, easy way to opt out — typically an unsubscribe link in email and an in-app toggle for push notifications. We will action your opt-out without charge and as soon as reasonably practicable.
8.5 We do not sell or rent your personal data for the direct-marketing purposes of any other person, and we will not do so without your prior written consent, as required by section 35K PDPO.
9. How long we keep your personal data (DPP2)
We keep your personal data only for as long as it is necessary for the purpose for which it was collected, or for as long as we are required by law to keep it. In practice:
| Data | Retention |
|---|---|
| Profile data, posts, comments, follows, likes, saves | Until you delete the item, or until your account is deleted, whichever comes first |
| Account itself | Until you delete it (after which we delete personal data within 30 days, subject to backup-rotation cycles of up to 90 days and any lawful retention obligation) |
| Bookings and booking-related records (guest name on the booking, email used, dates, payment status, payment reference, refund and compensation outcomes) | Seven (7) years from the date of the booking — consistent with record-keeping expectations under the Inland Revenue Ordinance and ordinary commercial dispute-resolution time-limits |
| Creator payout records (commission and payout history, clawbacks) | Seven (7) years from the relevant transaction |
| Webhook payload logs (LiteAPI and Stripe events) | 90 days, then deleted by an automated job |
| Pay-token / prebook-owner audit ledger | 7 days, then deleted |
| Push notification token | Until your device re-registers, you uninstall the app, or your account is deleted |
| Reviews | Until you delete the review or your account is deleted |
| Post impressions (which posts you saw) | While the underlying post exists and you are an account holder |
| Customer-support correspondence | Two (2) years from closure of the support ticket, unless it relates to a matter under active legal or regulatory review |
| Logs that contain personal data (for example, audit and security logs) | Up to two (2) years, after which they are anonymised or deleted |
If a legal hold applies (for example, because of pending or threatened litigation, a regulator's request, or a tax investigation), we keep the affected records for the duration of the hold even if the retention period in the table above would otherwise have expired.
10. How we protect your personal data (DPP4)
10.1 We take practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or other use. Those steps include:
- (a) Transport encryption. All data in transit between your device, our servers, and our processors is encrypted using TLS 1.2 or higher.
- (b) At-rest encryption. Our primary database is encrypted at rest. Passwords are stored as salted bcrypt hashes, never in plain text. Card numbers and KYC documents are never stored on our systems.
- (c) Row-Level Security. Our database uses Row-Level Security policies so that, even at the database layer, only the right user can see their own records.
- (d) Secrets management. API keys for LiteAPI, Stripe, Mux, and other processors are stored in our serverless-function secrets vault, not in client code.
- (e) Webhook integrity. Webhooks from Stripe are validated using HMAC signatures; webhooks from LiteAPI are dedup'd by event identifier and validated against a shared secret.
- (f) Rate limiting and abuse controls. Authentication, payment, and account-modification endpoints carry rate limits and abuse detection.
- (g) Vendor due diligence. We assess the security and privacy posture of each processor before integrating with them, and we re-assess them periodically.
- (h) Personnel. Personal data is accessible internally only to the smallest number of people who need it for their role, and we contractually bind our personnel and contractors to confidentiality.
- (i) Backups. We back up our database; backups are encrypted and retained on a rolling schedule.
10.2 No system is perfect. If we become aware of an unauthorised access to or loss of your personal data, we will follow the PCPD's Guidance on Data Breach Handling and the Giving of Breach Notifications (in its current form). That means notifying the PCPD, notifying you, and taking remedial steps where the breach is likely to cause real risk of harm. Mandatory breach notification is not yet a statutory requirement in Hong Kong; we commit voluntarily to the PCPD-aligned standard.
11. Your rights (DPP5 and DPP6)
You have the following rights in respect of your personal data:
11.1 Right to be informed. This Policy and the PICS shown at the point of collection tell you what we do with your data.
11.2 Right of access (section 18 PDPO). You can ask us to confirm whether we hold any personal data about you and to give you a copy. We will respond within forty (40) days of receiving a properly-formulated request and proof of your identity. The PDPO permits us to charge a fee that is not excessive; in practice we waive the fee for our own Users.
11.3 Right of correction (section 22 PDPO). If any personal data we hold about you is inaccurate, you can ask us to correct it. You can also correct most account information yourself in the Profile screen.
11.4 Withdrawal of consent / opt-out of marketing. You can opt out of any direct marketing at any time, free of charge, using the unsubscribe link in the message or the in-app toggle. We will action your opt-out without delay.
11.5 Withdrawal of push notification permission. You can turn off push notifications at any time in your device's settings. Doing so may prevent us from delivering time-critical operational messages.
11.6 Account deletion. You can delete your account from the Profile screen or by writing to support@trovestays.com. Deletion removes your personal data subject to the retention rules in Section 9 (some records, especially bookings, must be retained for accounting and dispute-resolution reasons). Personal data that has already been seen, copied, or shared by other Users (for example, screenshots of a post by a follower) is outside our control.
11.7 Complaints. If you think we have mishandled your personal data, please raise it with us first at support@trovestays.com — we want to fix problems. You also have the right to complain directly to the Office of the Privacy Commissioner for Personal Data, Hong Kong, at:
- Website:
https://www.pcpd.org.hk - Address: PCPD, 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong
- Phone: (+852) 2827 2827
11.8 How to make a request. Send any access, correction, deletion, or complaint request to support@trovestays.com. To protect your data we will ask you to verify your identity before we act.
12. International Users (non-Hong-Kong residents)
12.1 TroveStays is operated from Hong Kong under Hong Kong law. We make TroveStays available to Users in many countries. Where you use the Service from outside Hong Kong, this Policy still applies, and you accept that your personal data is processed in Hong Kong and in the third-party locations identified in Section 5.
12.2 Users in the European Economic Area, the United Kingdom, Switzerland. Even though Hong Kong law governs your relationship with us, where the General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR, or equivalent local law gives you a statutory right that we would not otherwise grant you (for example, a right to erasure, a right to data portability, a right to restrict processing, or a right not to be subject to a decision based solely on automated processing), we voluntarily honour the substantive equivalent of that right on request to support@trovestays.com. We do not formally hold a Lead Supervisory Authority and we do not have a representative in the EU at the date of this Policy; we will update this section if that changes.
12.3 Users in California, USA. Where the California Consumer Privacy Act (Civil Code section 1798.100 et seq.) gives you a statutory right (for example, to know, to delete, to correct, or to opt out of "sale" or "sharing"), we voluntarily honour the substantive equivalent on request. We do not "sell" personal data and we do not "share" personal data for cross-context behavioural advertising as those terms are defined in California law.
12.4 Users elsewhere. Wherever you are, you may write to us at support@trovestays.com and we will treat you fairly and consistently with this Policy.
13. Children
13.1 TroveStays is for adults. You must be at least 18 years old to use TroveStays. We do not knowingly collect personal data from anyone under 18. If we discover that an account belongs to a person under 18, we will suspend the account and delete the associated personal data within a reasonable time.
13.2 If you are a parent or guardian and you believe a person under 18 has provided us with personal data, please write to support@trovestays.com and we will act promptly.
14. Cookies and on-device storage
The detail of what we store on your device, and why, is in our Cookie and Tracking Notice (06-cookie-and-tracking.md). In summary: we use first-party storage to keep you signed in, to remember your preferences, to cache rates so the app is fast, and to record which posts you have seen so we do not repeat them. We do not run third-party advertising trackers and we do not sell behavioural data.
15. Changes to this Policy
15.1 We may update this Policy from time to time. When we do, we will:
- (a) update the version line at the top of this Policy;
- (b) for material changes, give you at least fourteen (14) days' notice by in-app banner, push notification, or email; and
- (c) keep an archive of previous versions so you can see what was in force at any point.
15.2 If you do not accept a material change, you can close your account before it takes effect.
16. How to contact us about your personal data
- Privacy enquiries, access requests, correction requests, complaints: support@trovestays.com
- General legal: support@trovestays.com
- Postal: 26 Square Street, Sheung Wan, Hong Kong
- PCPD (regulator):
https://www.pcpd.org.hk
Version history
| Version | Date | Notes |
|---|---|---|
| 1.0 | 2026-06-11 | Initial public version. |